Saturday, February 04, 2023

Intelligence agency says ransomware group with Russian ties poses 'an enduring threat' to Canada

LockBit was responsible for 22 per cent of attributed 

ransomware incidents in Canada, says CSE

A health-care worker treats a patient in the emergency department at Toronto’s Hospital for Sick Children. The hospital was hit by a ransomware attack in late December that delayed lab results and crippled its phone systems. (Chris Young/The Canadian Press)

Canada's cyber intelligence agency says LockBit — a prolific ransomware group with links to Russia — was responsible for 22 per cent of attributed ransomware incidents in Canada last year and will pose an "enduring threat" to Canadian organizations this year.

On Thursday, the Communications Security Establishment said it sent a threat report to Canadian organizations warning about LockBit and its affiliates.

CSE describes LockBit as a group of "financially-motivated, Russian-speaking" cybercriminals "very likely based in a Commonwealth of Independent States country" — an assembly of countries that once were part of the Soviet Union. 

"The Cyber Centre assesses that LockBit will almost certainly remain an enduring threat to both Canadian and international organizations into 2023," said CSE spokesperson Evan Koronewski.

"In 2022, LockBit was responsible for 22 per cent of attributed ransomware incidents in Canada and an estimated 44 per cent of global incidents."

Koronewski said LockBit selects its victims based on opportunity — and is known for hitting hospitals and transit systems. 

Toronto's Hospital for Sick Children was hit by a ransomware attack in late December that delayed lab results and crippled its phone systems. LockBit apologized, claiming one of its "partners" was behind the hit on Canada's largest pediatric medical centre.

The Federal Bureau of Investigation in the U.S. has called LockBit "one of the most active and destructive ransomware variants in the world."

Ransomware attacks involve malicious software used to cripple a target's computer system to solicit a cash payment. 

LockBit is considered a ransomware-as-a-service group, meaning it owns a ransomware strain and sells access to it to affiliates. Groups like LockBit support the deployment of their ransomware by third parties in exchange for upfront payments, subscription fees, a cut of profits, or all three, said CSE.

In November, a dual Russian-Canadian national was charged for his alleged participation in the LockBit global ransomware campaign. Mikhail Vasiliev, 33, of Bradford, Ont. is charged with conspiracy to intentionally damage protected computers and to transmit ransom demands. He is fighting his extradition to the United States.

Brett Callow, a threat analyst at Emsisoft, said getting a clear picture of LockBit's reach and power is difficult.

He said statistics are often based on posting pages from the dark web where ransomware gangs list non-paying victims, and don't always indicate activity levels.

"How many ransomware attacks are there? Are the numbers trending up or down? These should be easy questions to answer but, due to a lack of solid data, they're not," he said.

"So, not only do we have an incomplete picture as to how and why attacks succeed, but it's hard for policymakers to establish whether counter-ransomware policies are working if they don't have accurate statistical data." 

CSE warned of retaliatory cyber attacks from Russia

Thursday's warning is the second in a week from CSE, at a time of heightened geopolitical tensions with Russia. 

Last week, CSE called for a "heightened state of vigilance" against the threat of retaliatory cyber attacks from Russia-aligned hackers — just hours after Ottawa promised to give Ukraine four Leopard 2 A4 main battle tanks.

That warning came as Killnet, a group Canada and its allies describe as a "Russian-aligned cybercrime group," vowed to go after countries that support Ukraine.

Reuters reported earlier this week that Killnet ran a denial-of-service (DDoS) campaign against several German websites to knock them offline Wednesday after that country announced it would be sending tanks to Ukraine.

Germany's security agency BSI said some financial sector targets were also affected but the hits had little effect.

LockBit brags it pumped ION full of

ransomware

Crims put a February 4 deadline for software slinger to pay up

Jessica Lyons Hardcastle
Fri 3 Feb 2023 

UK regulators are investigating a cyberattack against financial technology firm ION, while the LockBit ransomware gang has threatened to publish the stolen data on February 4 if the software provider doesn't pay up.

According to a statement posted on ION Market's website, its ION Cleared Derivatives division "experienced a cybersecurity event" on January 31.

"The incident is contained to a specific environment, all the affected servers are disconnected, and remediation of services is ongoing," the notice said. "Further updates will be posted when available."

LockBit, a ransomware group with ties to Russia, has since said it pulled off the data heist, and promised to publish "all available data," according to a screenshot posted by Emsisoft threat analyst Brett Callow.

This is the crime gang that may or may not have also attacked Royal Mail last month. Despite claiming one of its affiliates compromised the postal service, Royal Mail hasn't been listed on LockBit's leak site, as Callow noted.

While the ION security alert didn't provide any additional details, but according to media reports the attack affected 42 of ION's customers, which likely included ABN Amro Clearing and Intesa Sanpaolo, Italy's biggest bank, Reuters reported.


Meanwhile, some European and US banks and brokers had to pull the pens and paper out of storage. ION's software automates trading processes, and Bloomberg reported the outage forced these banks and brokers to manually process derivative trades.

The attack prompted the Futures Industry Association (FIA) to weigh in on the security snafu, which it said has affected ION clients "across global markets."

The industry association, which represents futures dealers, investors and exchanges, said it was working with its member organizations, "including clearing firms and exchanges, as well as market regulators and others, to assess the extent of the impact on trading, processing, and clearing.

Additionally, a spokesperson for the UK's Financial Conduct Authority told The Register that the FCA is "aware of this incident and we will continue to work with our counterparts and the firms affected."

The FCA regulates British banks and financial services companies. While ION, as a third-party software provider, isn't an FCA-regulated business, it does provide services to several firms that do fall under the agency's purview.

As such, the FCA is working with its counterparts to help affected financial services firms.
US downplays risk

The US Treasury Department also confirmed the ransomware attack against ION, but said it didn't post a "systematic risk" to industry.

"The issue is currently isolated to a small number of smaller and mid-size firms and does not pose a systemic risk to the financial sector," Deputy Assistant Secretary of the Treasury for Office of Cybersecurity and Critical Infrastructure Protection Todd Conklin told The Register.

"We remain connected with key financial sector partners, and will advise of any changes to this assessment," Conklin added.

However, these types of supply-chain, or "island-hopping" attacks, are becoming more prevalent in the financial sector, Tom Kellermann, senior VP of cyber strategy at Contrast Security, told The Register.

"Shared service providers are being increasingly targeted by cybercrime cartels to manifest island hopping," he said. "Cyberattacks in the financial sector are no longer merely about conducting a heist but rather to hijack the digital transformation of the victim so as to launch attacks against their customer base." ®

No comments: